Importing SSL cert into PALOALTO Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Importing SSL cert into PALOALTO Firewall

L0 Member

Hi,

 

I am facing problem when I import the 3rd party generated ssl cert into firewall, for example:

I generated the certificate locally on firewall and named it as mycert and when I exported it, it was named automatically to cert-mycert.csr

after generating the 3rd party key and downloaded locally to my PC, the name of the new certs are on default random naming.

usually I get 3 files: (.pem, .csr) file types.

when I import them, the certificate does not seem to change from pending state.

 

can anyone help please? I know that there is some kind of specific naming process but dont know what exactly to do and on which cert file?

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

When you import cert in you need to give it same name as your CSR is in the firewall. For example "mycert" as you mentioned in your case.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post


@SamerSaleem wrote:

so not the name that was saved on my local drive which is exported to "cert-mycert.csr" automatically?


When you first created the certificate signing request (CSR), you clicked the "Generate" button and then entered a name under "Certificate Name:". When you import the signed certificate click the "Import" button and then enter the same name under "Certificate Name:", and then select whatever filename you have on your desktop (the filename doesn't matter, just the certificate object name). The PaloAlto will automatically match the signed certificate to the previously generate CSR by the same name.

 

The signed certificate need to be a base64-encoded PEM file (either .pem or .cer typically), not a "Windows binary" PEM file. You can open it in notepad and you should see something like:

-----BEGIN CERTIFICATE-----
un098n3rimc09n8mricn93imc9imdcin39j83r03c3d
9ijc9crm93mc9r93m9c8m3mc39mr3f9mr09r0c9irm8
c0948j984j0f0984098j03f08r3mf098j3rmf9843jr
m498j40m984jf048jf0984jrf984kjr9fk4r09fk===
-----END CERTIFICATE-----

 

View solution in original post

11 REPLIES 11

Cyber Elite
Cyber Elite

When you import cert in you need to give it same name as your CSR is in the firewall. For example "mycert" as you mentioned in your case.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

so not the name that was saved on my local drive which is exported to "cert-mycert.csr" automatically?


@SamerSaleem wrote:

so not the name that was saved on my local drive which is exported to "cert-mycert.csr" automatically?


When you first created the certificate signing request (CSR), you clicked the "Generate" button and then entered a name under "Certificate Name:". When you import the signed certificate click the "Import" button and then enter the same name under "Certificate Name:", and then select whatever filename you have on your desktop (the filename doesn't matter, just the certificate object name). The PaloAlto will automatically match the signed certificate to the previously generate CSR by the same name.

 

The signed certificate need to be a base64-encoded PEM file (either .pem or .cer typically), not a "Windows binary" PEM file. You can open it in notepad and you should see something like:

-----BEGIN CERTIFICATE-----
un098n3rimc09n8mricn93imc9imdcin39j83r03c3d
9ijc9crm93mc9r93m9c8m3mc39mr3f9mr09r0c9irm8
c0948j984j0f0984098j03f08r3mf098j3rmf9843jr
m498j40m984jf048jf0984jrf984kjr9fk4r09fk===
-----END CERTIFICATE-----

 

How to import SSl certificate for my website www.emiratesevisaonline.com

Emirates E visa Online provides Emirates visa, you can apply Emirates Visa Online at https://www.emiratesevisaonline.com

How did you generate a SSL certificate?

Importing the signed certificate with the same name as the CSR does not work.   It results in a mismatched public/private key error message.  Only when importing the signed certificate with the name "cert_" prefixed to the name will it work.  For example, when exporting the CSR, Panorama adds "cert_" to the front of the name.  So the filename is cert_MyCert.csr.  When importing the signed certificate, if you use 'MyCert' it fails.  If you use 'cert_MyCert' it succeeds, but the Key checkbox remains unchecked and the CSR remains in 'pending' state.

The Key checkbox remains unchecked and the CSR remains pending because you did not import the signed certificate correctly. You must import the signed certificate with the certificate object name exactly the same as the CSR you generated. The file name of the CSR and signed certificate does not matter.

 

You generate a CSR to be signed by clicking the "Generate" button at the bottom of the Device->CertificateManagement->Certificates screen and then fill out the relevant information:

Certificate Name:  MyCert

Common Name:  myserver.example.com

Signed By:  External Authority (CSR)

....

 

When you click the "Generate" button in the Generate Certificate window the output CSR will, by default, be named "cert_MyCert.csr". You can rename the file to anything you want when saving/before submitting to your certificate authority for signing. The content of the CSR matters, not the filename.

 

After your certificate authority has returned your signed certificate you need to import it to match the CSR previously generated. They may give you a file named "cert_MyCert.cer" or it may be completely different like "myserver_20230715_signed.cer". Again the file name doesn't matter. You click the Import button at the bottom of the Certificates screen and enter the Certificate Name exactly as you did when generating the CSR:

Certificate Name:  MyCert

Certificate File:  myserver_20230715_signed.cer

File format:  Base64 Encoded Certificate (PEM)

...

 

The PaloAlto will now attempt to match the signed certificate to the previously generated "MyCert" CSR object.

  • If the signed certificate fails to match the CSR you will get a duplicate certificate name error or mismatch public/private key error.
  • If you give a different Certificate Name than you used when you generated the CSR, the imported certificate will not be matched against the CSR, it will be imported as a stand alone certificate (for verifying the identity of other devices, not signing local communications).
  • If the signed certificate matches the CSR then the pending CSR will change to a certificate with a key with a valid status.

 

1) If you have imported the signed certificate with a different Certificate Name than the CSR your generated (and it hasn't matched/has no private key), delete the certificate and reimport with the same object name as the CSR. Don't delete the CSR object as you can't recover that unless you have previously exported it with the private key.

 

2) If your imported signed certificate has a key mismatch with the CSR, then either the signed certificate is not from the CSR or the file has been corrupted (or the signing authority tried to change certificate fields). Make sure you are importing a PEM file (ASCII base64-encoded) and your certificate authority has not sent you a DER file (Windows binary-encoded). Also make sure you did not create multiple CSRs and you are trying to import a signed certificate against the wrong CSR (i.e. you signed the wrong one).

 

3) Also note: If you are signing your CSR with a private certificate authority (i.e. your own internal corporate certificate infrastructure), you need to import the certificate authority chain before importing the signed certificate (if your CA provides a chain in the signed certificate this may not be necessary). Once the CSR is signed it will appear under the certificate chain.

 

See the KnowledgeBase for creating a CSR and importing the signed certificate:

https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClSx

 

Thank you for this detailed response.  Should the CSR be generated from the local firewall or from Panorama?  We received an intermediate and primary (device) certificate.  Is it necessary to import them as a chained certificate (https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm) or can they be imported independently?  That is, select the orange 'pending' CSR, import the intermediate certificate, and then select the orange 'pending' CSR again and import the primary (device) certificate with the same name as the CSR? 

I do not have Panorama, and as such I always generated CSRs on the local firewall, but it is my understanding you can also do it from Panorama (I suspect its Panorama instructing the local firewall to generate the cert and then downloading the CSR).

 

If the certificate is signed by a well known CA (i.e. Digicert Global Root G2) the CA certificate is likely already loaded under Device->CertificateManagement->Certificates->DefaultTrustedCertificateAuthorities. You don't need to separately load the parts of a chained certificate (sometimes known as a PK12 file), you can just import the chain directly against the CSR and the PaloAlto will automatically add the rest as needed.

 

See the KnowledgeBase for importing chained certificate (it references and is the same steps as the KB for importing a signed certificate above):

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkoCAC

 

If you have signed the certificate with your own private CA, and a complete chained certificate was not provided, then you will need to import the private root CA (and private intermediate CA if so signed) before importing signed certificate against the CSR.


@Adrian_Jensen wrote:

I do not have Panorama, and as such I always generated CSRs on the local firewall, but it is my understanding you can also do it from Panorama (I suspect its Panorama instructing the local firewall to generate the cert and then downloading the CSR).

 


From what I have seen, Panorama generates the private key and pushes it to the firewall as part of the template.  And likewise, it will push the signed cert to the firewall.  Doesn't matter if you push private key / CSR to the firewall before importing the signed cert or after.

 

The certs/keys are like any other template settings...just that they happen to be a few hundred characters of randomness instead of other typical settings that are short legible strings.

Since the thread was quite useful, i have a similar requirement wherein I already have my internal corporate Root CA and Itermediate CA in my Palo alto firewall certificate store imported. Also other Ipsec vpns with cert-based authentication is running fine.

Now, to estalblish a new ipsec s2s vpn with a new branch office with cert-based auth, i generated the csr and received a signed certificate with pkcs7 having root and intermediate cert in it. However, when i import it into Palo alto, it is asking for key which i did not received from the PKI admin. Do i need to ask the key file as well to import? Also, the cert file received is pkcs7 and palo alto requires pkcs12 will it work if i import the pkcs7 file only??

 

Also, if i import just the signed certificate with no chain will it work ? since i believe it should because as i mentioned earlier, the Palo alto already has Root CA and Intermediate CA installed from the earlier vpn setup.

 

Pls guide.

  • 2 accepted solutions
  • 5976 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!